Return to Answer

replaced http://security.stackexchange.com/ with https://security.stackexchange.com/

Source Link

edited Mar 17, 2017 at 10:46

Community Bot

Passwords

can be easy to forget.
can be easy to guess / crack.
can have different contraints in terms of characters you can use, length...
are very often re-used on different services.
have you heard of those passwords database leaked?

Challenge-Response

can comprise any amount of challenges (e.g. enter 3 passwords in a row)
can support one-time passwords (OTP - http://pdub.net/2012/01/03/one-time-passwords-pam/)

SSH keys (or api token)

don't have to be remembered (stored on your computer).
are tougher to guess / crack (compared to dictionary attack).
need not be shared on different services.

Asymmetry / password strength.

Most public/private key solutions use asymmetric keys (haven't heard otherwise but wouldn't put my money on it). If your public key is compromised, then that does not give an attacker access to the system.
Password databases need to have one-way encryption; and one that is strong enough or that wastes enough compute cycles that it becomes difficult to brute-force.

Reset workflow

Using passwords or ssh keys is irrelevant here, at some point a user is going to either forget their password (e.g. they had CAPS LOCK when they created it...) or reinstall their system (e.g. time machine / upgrades ...). How do you cope with such situations? You will have to change the password/key (assume the previous one is compromised) and securely communicate the new one to the user.

See the accepted answer accepted answer. If your kid is trying to get inside your house. The challenge there is you first need to confirm it's your son (e.g. you know it is their phone number, you recognize their voice, that's the challenge part). The very common workflow is to generate a temporary password / one-time password and have your son change their password. But, this could very well be: give them a one-time password and let them upload their new ssh key / api token. Heck, you could even not bother to let them change their credentials at all and just remotely let them in if your keypad/keylock is connected.

Note: nothing prevents your ex-wife to collude with your son in order to trick you and gain access to the house.

Which one is better?

This depends on your use-case and acceptable losses. Since both passwords / ssh keys / api tokens are being possessed by a user, the user can share them. If you support password authentication and passwords get leaked, then some of your users may have to change their passwords on external websites -- just because they re-use the same passwords elsewhere. If you use public/private keys, then you have less to worry about.

You don't have to choose one or the other. You can use both! E.g. you can have both a keylock (your personal copy) and a numeric padlock (guests).

Passwords

can be easy to forget.
can be easy to guess / crack.
can have different contraints in terms of characters you can use, length...
are very often re-used on different services.
have you heard of those passwords database leaked?

Challenge-Response

can comprise any amount of challenges (e.g. enter 3 passwords in a row)
can support one-time passwords (OTP - http://pdub.net/2012/01/03/one-time-passwords-pam/)

SSH keys (or api token)

don't have to be remembered (stored on your computer).
are tougher to guess / crack (compared to dictionary attack).
need not be shared on different services.

Asymmetry / password strength.

Most public/private key solutions use asymmetric keys (haven't heard otherwise but wouldn't put my money on it). If your public key is compromised, then that does not give an attacker access to the system.
Password databases need to have one-way encryption; and one that is strong enough or that wastes enough compute cycles that it becomes difficult to brute-force.

Reset workflow

See the accepted answer. If your kid is trying to get inside your house. The challenge there is you first need to confirm it's your son (e.g. you know it is their phone number, you recognize their voice, that's the challenge part). The very common workflow is to generate a temporary password / one-time password and have your son change their password. But, this could very well be: give them a one-time password and let them upload their new ssh key / api token. Heck, you could even not bother to let them change their credentials at all and just remotely let them in if your keypad/keylock is connected.

Note: nothing prevents your ex-wife to collude with your son in order to trick you and gain access to the house.

Which one is better?

You don't have to choose one or the other. You can use both! E.g. you can have both a keylock (your personal copy) and a numeric padlock (guests).

Passwords

can be easy to forget.
can be easy to guess / crack.
can have different contraints in terms of characters you can use, length...
are very often re-used on different services.
have you heard of those passwords database leaked?

Challenge-Response

can comprise any amount of challenges (e.g. enter 3 passwords in a row)
can support one-time passwords (OTP - http://pdub.net/2012/01/03/one-time-passwords-pam/)

SSH keys (or api token)

don't have to be remembered (stored on your computer).
are tougher to guess / crack (compared to dictionary attack).
need not be shared on different services.

Asymmetry / password strength.

Most public/private key solutions use asymmetric keys (haven't heard otherwise but wouldn't put my money on it). If your public key is compromised, then that does not give an attacker access to the system.
Password databases need to have one-way encryption; and one that is strong enough or that wastes enough compute cycles that it becomes difficult to brute-force.

Reset workflow

Note: nothing prevents your ex-wife to collude with your son in order to trick you and gain access to the house.

Which one is better?

You don't have to choose one or the other. You can use both! E.g. you can have both a keylock (your personal copy) and a numeric padlock (guests).

Source Link

answered Dec 14, 2014 at 23:20

dnozay

Passwords

can be easy to forget.
can be easy to guess / crack.
can have different contraints in terms of characters you can use, length...
are very often re-used on different services.
have you heard of those passwords database leaked?

Challenge-Response

can comprise any amount of challenges (e.g. enter 3 passwords in a row)
can support one-time passwords (OTP - http://pdub.net/2012/01/03/one-time-passwords-pam/)

SSH keys (or api token)

don't have to be remembered (stored on your computer).
are tougher to guess / crack (compared to dictionary attack).
need not be shared on different services.

Asymmetry / password strength.

Most public/private key solutions use asymmetric keys (haven't heard otherwise but wouldn't put my money on it). If your public key is compromised, then that does not give an attacker access to the system.
Password databases need to have one-way encryption; and one that is strong enough or that wastes enough compute cycles that it becomes difficult to brute-force.

Reset workflow

Note: nothing prevents your ex-wife to collude with your son in order to trick you and gain access to the house.

Which one is better?

You don't have to choose one or the other. You can use both! E.g. you can have both a keylock (your personal copy) and a numeric padlock (guests).